162306a36Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only
262306a36Sopenharmony_ciconfig SECURITY_SMACK
362306a36Sopenharmony_ci	bool "Simplified Mandatory Access Control Kernel Support"
462306a36Sopenharmony_ci	depends on NET
562306a36Sopenharmony_ci	depends on INET
662306a36Sopenharmony_ci	depends on SECURITY
762306a36Sopenharmony_ci	select NETLABEL
862306a36Sopenharmony_ci	select SECURITY_NETWORK
962306a36Sopenharmony_ci	default n
1062306a36Sopenharmony_ci	help
1162306a36Sopenharmony_ci	  This selects the Simplified Mandatory Access Control Kernel.
1262306a36Sopenharmony_ci	  Smack is useful for sensitivity, integrity, and a variety
1362306a36Sopenharmony_ci	  of other mandatory security schemes.
1462306a36Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
1562306a36Sopenharmony_ci
1662306a36Sopenharmony_ciconfig SECURITY_SMACK_BRINGUP
1762306a36Sopenharmony_ci	bool "Reporting on access granted by Smack rules"
1862306a36Sopenharmony_ci	depends on SECURITY_SMACK
1962306a36Sopenharmony_ci	default n
2062306a36Sopenharmony_ci	help
2162306a36Sopenharmony_ci	  Enable the bring-up ("b") access mode in Smack rules.
2262306a36Sopenharmony_ci	  When access is granted by a rule with the "b" mode a
2362306a36Sopenharmony_ci	  message about the access requested is generated. The
2462306a36Sopenharmony_ci	  intention is that a process can be granted a wide set
2562306a36Sopenharmony_ci	  of access initially with the bringup mode set on the
2662306a36Sopenharmony_ci	  rules. The developer can use the information to
2762306a36Sopenharmony_ci	  identify which rules are necessary and what accesses
2862306a36Sopenharmony_ci	  may be inappropriate. The developer can reduce the
2962306a36Sopenharmony_ci	  access rule set once the behavior is well understood.
3062306a36Sopenharmony_ci	  This is a superior mechanism to the oft abused
3162306a36Sopenharmony_ci	  "permissive" mode of other systems.
3262306a36Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
3362306a36Sopenharmony_ci
3462306a36Sopenharmony_ciconfig SECURITY_SMACK_NETFILTER
3562306a36Sopenharmony_ci	bool "Packet marking using secmarks for netfilter"
3662306a36Sopenharmony_ci	depends on SECURITY_SMACK
3762306a36Sopenharmony_ci	depends on NETWORK_SECMARK
3862306a36Sopenharmony_ci	depends on NETFILTER
3962306a36Sopenharmony_ci	default n
4062306a36Sopenharmony_ci	help
4162306a36Sopenharmony_ci	  This enables security marking of network packets using
4262306a36Sopenharmony_ci	  Smack labels.
4362306a36Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
4462306a36Sopenharmony_ci
4562306a36Sopenharmony_ciconfig SECURITY_SMACK_APPEND_SIGNALS
4662306a36Sopenharmony_ci	bool "Treat delivering signals as an append operation"
4762306a36Sopenharmony_ci	depends on SECURITY_SMACK
4862306a36Sopenharmony_ci	default n
4962306a36Sopenharmony_ci	help
5062306a36Sopenharmony_ci	  Sending a signal has been treated as a write operation to the
5162306a36Sopenharmony_ci	  receiving process. If this option is selected, the delivery
5262306a36Sopenharmony_ci	  will be an append operation instead. This makes it possible
5362306a36Sopenharmony_ci	  to differentiate between delivering a network packet and
5462306a36Sopenharmony_ci	  delivering a signal in the Smack rules.
5562306a36Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
56